This is my first question in this forum, please accept my apologies for any mistake in advance. I have a problem configuring tomcat with SSL and APR.
Context: tomcat 7, Java 7, OpenSSL, a couple of valid x509 certificates.
My https connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
SSLVerifyClient="require" SSLVerifyDepth="3"
SSLCertificateFile="${catalina.home}/security/server.pem"
SSLCertificateKeyFile="${catalina.home}/security/server.key"
SSLCertificateChainFile="${catalina.home}/security/trust.pem"
SSLCACertificateFile="${catalina.home}/security/trust_ca.pem"
/>
PKI tree:
ROOT -> CA_intermediate -> CA4Servers -> server (tomcat)
-> serv2Cert
-> CA4People -> people1Cert
A windows pc client with 2 certificates in windows keystore (Windows-MY): people1Cert and serv2Cert
trust.pem include ROOT, CA_intermediate, CA4Servers and tomcat pem encoded public key. trust_ca.pem all of trust.pem but tomcat cert.
What I want:
Go to https://tomcat.server:8443/, browser presents me the certificate chooser dialog with ONE certificate: serv2Cert, I select it and get into the web page succesfully. If I select another certificate, server presents me an error page.
My problem: When I get the certificate chooser dialog, I see 2 certs: serv2Cert and people1Cert (?). Both of them let me go to the web page! If I change SSLVerifyDepth or trust_ca.pem to limit the client certificates to only serv2Cert, I get SSL errors like unknown ca or unknown certificate
I've already tried with some SSLVerifyDepth values like 1,2,3,4. Only "3" let me log into the server. If I remove all CA certs from trust_ca.pem but ROOT, let me login with both client certificates (people1Cert and serv2Cert).
I will apreciate any help about this, sorry for my poor english, thank you in advance. Best regards.
